fix(csp): allow https images in markdown preview and html sandbox

waleedlatif1 · waleedlatif1 · commit 2f2815559519 · 2026-05-01T18:11:05.000-07:00
diff --git a/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx b/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx
@@ -734,7 +734,7 @@ const HTML_PREVIEW_CSP = [
   "default-src 'none'",
   "script-src 'unsafe-inline'",
   "style-src 'unsafe-inline'",
-  'img-src data: blob:',
+  "img-src 'self' https: data: blob:",
   'font-src data:',
   'media-src data: blob:',
   "connect-src 'none'",
diff --git a/apps/sim/lib/core/security/csp.ts b/apps/sim/lib/core/security/csp.ts
@@ -61,23 +61,7 @@ const STATIC_SCRIPT_SRC = [
     : []),
 ] as const
 
-const STATIC_IMG_SRC = [
-  "'self'",
-  'data:',
-  'blob:',
-  'https://*.googleusercontent.com',
-  'https://*.google.com',
-  'https://*.atlassian.com',
-  'https://cdn.discordapp.com',
-  'https://*.githubusercontent.com',
-  'https://*.s3.amazonaws.com',
-  'https://s3.amazonaws.com',
-  'https://*.amazonaws.com',
-  'https://*.blob.core.windows.net',
-  'https://github.com/*',
-  'https://cursor.com',
-  ...(isHosted ? ['https://www.googletagmanager.com', 'https://www.google-analytics.com'] : []),
-] as const
+const STATIC_IMG_SRC = ["'self'", 'data:', 'blob:', 'https:'] as const
 
 const STATIC_CONNECT_SRC = [
   "'self'",
